Skip to content

CloudFront URL signer no longer URL-encodes spaces in S3 object keys after PR #7237 #7571

New issue
New issue
Open
Open
CloudFront URL signer no longer URL-encodes spaces in S3 object keys after PR #7237#7571
Assignees
trivikr
Labels
bugThis issue is a bug.p2This is a standard priority issuepotential-regressionMarking this issue as a potential regression to be checked by team memberqueuedThis issues is on the AWS team's backlog
@clemsonfan101

Description

@clemsonfan101
clemsonfan101
opened on Dec 12, 2025

Checkboxes for prior research

Describe the bug

Summary

After PR #7237, the CloudFront URL signer has stopped URL-encoding spaces in S3 object keys, causing a breaking change in signed URL generation.

Background

Prior to PR #7237, when signing CloudFront URLs for S3 objects containing spaces in their keys (e.g., "My File.pdf"), the signer would automatically URL-encode the space as %20, producing a valid signed URL like https://example.cloudfront.net/My%20File.pdf?....

Current Behavior

After PR #7237, the CloudFront signer returns unencoded spaces in the URL (e.g., https://example.cloudfront.net/My File.pdf?...), which produces invalid URLs that fail in browsers and HTTP clients.

Expected Behavior

The CloudFront signer should either:

  1. Automatically URL-encode special characters (including spaces) in object keys, OR
  2. Clearly document that clients must URL-encode keys before passing them to the signer

Impact

This is a breaking change that affects:

  • Existing applications relying on automatic URL encoding
  • S3 objects with spaces or special characters in their keys
  • Any workflow where user-provided filenames are used as S3 keys

Steps to ### Reproduce

// Example code demonstrating the issue
const signer = new CloudFrontUrlSigner(/* config */);
const url = signer.getSignedUrl({
  url: 'https://example.cloudfront.net/My File.pdf',
  // ... other params
});
console.log(url); // Contains unencoded space

Environment

AWS SDK version: [post-PR #7237]
Node.js version: [v22]

Proposed Solution

Either revert the behavior to automatically URL-encode keys, or update the documentation to explicitly state that URL encoding is the caller's responsibility.

Regression Issue

  • Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v22.15.0

Reproduction Steps

// Example code demonstrating the issue
const signer = new CloudFrontUrlSigner(/* config */);
const url = signer.getSignedUrl({
  url: 'https://example.cloudfront.net/My File.pdf',
  // ... other params
});
console.log(url); // Contains unencoded space

Observed Behavior

https://example.cloudfront.net/My File.pdf?...

Expected Behavior

https://example.cloudfront.net/My%20File.pdf?....

Possible Solution

Either revert the behavior to automatically URL-encode keys, or update the documentation to explicitly state that URL encoding is the caller's responsibility.

Additional Information/Context

No response

Metadata

Metadata

Assignees

Labels

bugThis issue is a bug.p2This is a standard priority issuepotential-regressionMarking this issue as a potential regression to be checked by team memberqueuedThis issues is on the AWS team's backlog

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions